Tutorial: Replay Attacks with an RTL-SDR, Raspberry Pi and RPiTX

UPDATE: Version 2 of RPiTX renders this tutorial obsolete, as it is now very easy to copy and replay signals using the RPiTX GUI (or the "sendiq" command) and an RTL-SDR. This tutorial is still valid for the overall concept.

With an RTL-SDR dongle, Raspberry Pi, piece of wire and literally no other hardware it is possible to perform replay attacks on simple digital signals like those used in 433 MHz ISM band devices. This can be used for example to control wireless home automation devices like alarms and switches.

In this tutorial we will show you how to perform a simple capture and replay using an RTL-SDR and RPiTX. With this method there is no need to analyze the signal, extract the data and replay using a 433 MHz transmitter. RPiTX can replay the recorded signal directly without further reverse engineering just like if you were using a TX capable SDR like a HackRF to record and TX an IQ file.

Note that we've only tested this replay attack with simple OOK 433 MHz devices. Devices with more complex modulation schemes may not work with this method. But the vast majority of 433 MHz ISM band devices are using simple modulation schemes that will work. Also replay attacks will not work on things like car keys, and most garage door openers as those have rolling code security.

A video demo is shown below:

Replay Attacks at 433 MHz with RTL-SDR and a Raspberry Pi running RPiTX

Hardware used and wireless ISM band devices tested with RPiTX

RpiTX

RPiTX is open source software which allows you to turn your Raspberry Pi into a general purpose transmitter for any frequency between 5 kHz to 500 MHz. It works by using square waves to modulate a signal on the GPIO pins of the Pi. If controlled in just the right way, FM/AM/SSB or other modulations can be created. By attaching a simple wire antenna to the GPIO pin these signals become RF signals transmitted into the air.

Of course this creates an extremely noisy output which has a significant number of harmonics. So to be legal and safe you must always use bandpass filtering. Harmonics could interfere with important life critical systems (e.g. police/EMS radio, aircraft transponders etc).

For testing, a short wire antenna shouldn't radiate much further than a few meters past the room you're in, so in this case you should be fine without a filter. But if you ever connect up to an outdoor antenna or amplify the signal then you absolutely must use adequate filtering, or you could find yourself in huge trouble with the law. Currently there are no commercially made 433 MHz filters for RPiTX available that we know of, so you would need to make your own. Also remember that you are still only allowed to transmit in bands that you are licensed to which for most people will be the ISM bands.

Tutorial

In this tutorial we will show how to perform replay attacks on simple OOK modulated 433 MHz ISM band devices using an RTL-SDR dongle and RPiTX. The RTL-SDR will be used to record an AM audio file of the signal, and then RPiTX will do it's magic to transform that recording into a file that can be transmitted back on the same frequency via one of the Raspberry Pi's GPIO pins.

Install RPiTX

Installation instructions are available on the RPiTX GitHub page at https://github.com/F5OEO/rpitx. It's very simple to install as all you need to do is clone the repo, and then run an automated install script.

Install the latest Keenerd version of RTL-SDR

We need the Keenerd version of RTL-SDR as his version provides an option which allows us to output rtl_fm data with a WAV header, allowing us to record directly to a wav file using sox.

Install Sox

sudo apt-get install sox

Recording the Data

Using receiver software with a visual spectrum analyzer and/or waterfall like SDR#, GQRX, HDSDR or SDR-Console determine the exact frequency and bandwidth of the digital signal that you want to copy. For example in the image below the center frequency of the signal is 433.897 MHz, and the bandwidth is about 10000 Hz (10 kHz). Also you may want to determine the optimum RF gain settings.

Be aware that many cheap remotes are not particularly frequency accurate and the frequency can change slightly just by the position of your hand on the remote. So be consistent with the way that you handle the remote to ensure that you're always on frequency.

Example of a 433 MHz device transmitting.

When ready, run the following command on your Pi, press the button on your remote, and then press CTRL+C on the keyboard to stop the recording. Make sure to change the frequency (-f), bandwidth (-s) and gain (-g) to what you determined earlier. This command will record an AM 48 kHz wav file of your keyfob signal. 48 kHz is what RPiTX expects.

Normalize the Audio

Normalizing the audio brings the volume up to the loudest it can be without distorting the waveform. This must be done otherwise the RPiTX output will be weak. Use the following sox command to create the myrec_n.wav normalized wav file.

sox --norm=-3 myrec.wav myrec_n.wav

If you have speakers plugged into your Pi or the HDMI monitor attached to your Pi, you can optionally use the following command to test the recorded audio. You should be able to hear the signal audio playback.

play myrec_n.wav

Create an RFA File

This step converts the wav file into an RFA file, which is a file format used by RPiTX when transmitting. The RFA file format seems to work much better than the IQ options for AM OOK signals.

piam myrec_n.wav myrec.rfa

Transmit with RPiTX

Use the following command to transmit with RPiTX, ensuring that you set the frequency to the correct value for your wireless device.

sudo rpitx -m RFA -i myrec.rfa -f 434004

Troubleshooting

If it doesn't work first time try these steps:

Make another longer recording with the button pressed down for longer.

25 comments

why gqrx fails to start when I try to run with keenerd’s libraries? it works fine with osmocom rtl-sdr libraries. the error is:
gqrx: symbol lookup error: /usr/lib/x86_64-linux-gnu/libgnuradio-osmosdr.so.0.1.5git: undefined symbol: rtlsdr_set_bias_tee

I tried your example, but I think the sampling rates aren’t correct for me. When I do it with HDSDR, the input sample rate is 2MHz, which is not an allowed sampling rate here. Any solution or procedure to try?

It works semi-successfully. For some reason I can only switch the 433 mHz remote socket on. When I try to replay the off-signal, nothing happens. I have tried several times with different recordings. What could be the reason for that?

A couple of specific questions:

1) When you replay the command, you use 434.004 mHz while you record at 433.897 mHz. Is this just a typo, or is there a reason for it?

One of your signals is within the receiver’s tolerance, the other is not. Rpitx is crap. You record a frequency, it transmits another. Totally unstable. Even the best solutions to modify the CPU governor or use more stable C libraries are below the lowest level of any practical use.

What is your point out the Pi? All CPUs are private technology, as are the mainboards for all microcontrollers, they are all patented. So I am not sure I understand your point about RPI is a nonfree device… all variants Pis, Beagles, etc.are nonfree based devices. You have to use private (owned) technology in all of them.

You readers might also find this interesting http://www.securipi.co.uk/remote-433-receivers.pdf – it uses inexpensive 433MHz or 315MHz receiver and transmitter boards connected to a Raspberry Pi and doesn’t require the filtering you talk about in the article, and allows capture & replay of standard AM OOK signals.

Submit a Story/Contact

Meta

What is RTL-SDR

The RTL-SDR is an ultra cheap software defined radio based on DVB-T TV tuners with RTL2832U chips. The RTL-SDR can be used as a wide band radio scanner. It may interest ham radio enthusiasts, hardware hackers, tinkerers and anyone interested in RF.